Microsoft 365 GCC High isn’t something you can spin up in a few clicks.

Unlike commercial Microsoft 365, GCC High lives in a separate government cloud with its own identity endpoints, provisioning process, and access controls. Getting started requires eligibility validation, an authorized reseller, and manual tenant creation by Microsoft.

This guide walks through the full process so you can understand what’s actually involved, whether you plan to handle it internally or work with a partner. If you handle Controlled Unclassified Information (CUI), need to meet CMMC Level 2 requirements, or are subject to DFARS 252.204-7012, this is where the work starts.

Before you begin, make sure GCC High is the right environment for your organization. Choosing between GCC and GCC High is one of the most expensive mistakes teams make, and it’s not easy to undo.

What you’re actually doing when you “set up” GCC High

Setting up a GCC High tenant is best understood as a four-phase process.

First, you validate your eligibility with Microsoft. Then you purchase licenses through an authorized reseller. After that, you wait for Microsoft to provision your tenant, which is a manual process in the government cloud. Finally, once the tenant is available, you configure it for security and compliance.

Each of these phases is straightforward on paper, but in practice they introduce their own delays, dependencies, and points where organizations tend to get stuck.

Phase 1: Validate your eligibility (1–3 weeks)

GCC High is restricted to three types of organizations: government entities at the federal, state, local, or tribal level; solution providers serving those agencies; and commercial organizations that handle government-controlled data. For most defense contractors, that third category is the relevant one.

When you apply, it’s important to select “Category 3: Customers handling government-controlled data.” Choosing Category 2 will qualify you for Azure Government, not GCC High, and you’ll need to restart the process.

Documentation you’ll need

Microsoft’s US Government Cloud Eligibility Team will require proof that your organization handles regulated data.

If you have a CAGE Code or active SAM.gov registration, lead with that. Those are typically validated faster than contract-based submissions.

How to submit the application

To submit your application, you’ll need to complete Microsoft’s Government Cloud validation form.

Microsoft does not maintain a stable direct URL for this form. The most reliable way to find it is by searching for “Microsoft Government General Validation.”

From there, select Microsoft 365 GCC High, choose Category 3, and provide your organization’s details along with a clear explanation of why you require GCC High. Naming the regulation and the type of data involved helps the eligibility team validate your request quickly.

Most delays happen at this stage, and they’re usually avoidable.

Applications tend to stall when justification is vague, documentation is outdated, or the wrong category is selected. The fastest approvals are clear, specific, and complete the first time.

Phase 2: Purchase through an AOS-G partner (1–2 weeks)

Even after your eligibility is approved, you won’t be able to purchase GCC High through Microsoft’s standard channels.

Licenses are sold through government-authorized partners. Organizations with fewer than 500 users typically work with an AOS-G partner, while larger organizations may purchase through an Enterprise Agreement via an LSP reseller. In practice, most defense contractors fall into the first group.

This is also where cost variability comes in. Because GCC High is sold through partners and often bundled with onboarding or migration services, pricing can vary significantly depending on the level of support you choose.

What to look for in a GCC High partner

Not every Microsoft partner is authorized to sell GCC High, and not every authorized partner approaches it the same way.

AOS-G partners go through additional vetting related to government cloud experience and compliance frameworks like FedRAMP and DFARS. That authorization is the baseline. Beyond that, the difference is in how the partner supports you through setup and beyond.

Some partners focus primarily on licensing and provisioning. Others bundle GCC High with full migration and managed services engagements. Both models are valid, but they come with different levels of cost, involvement, and long-term ownership.

It’s worth being clear on what you actually need. If you’re looking for a partner to handle everything end-to-end, a full-service provider may make sense. If you want to retain control of your environment and understand how it’s configured, working with a partner that can provide licensing and guidance without taking over the entire implementation can be a better fit.

Secureframe is an authorized GCC High reseller and works with organizations on both sides of that spectrum. Some teams use Secureframe primarily to procure licenses and get through provisioning, while others pair that with ongoing support for mapping their environment to CMMC requirements and preparing for assessment.

The important part is that whoever you work with can clearly explain their role — whether they’re providing licenses, implementation support, compliance guidance, or all three — and how that aligns with your internal capabilities.

Which Microsoft GCC High license to choose

For most small to mid-sized contractors, Business Premium GCC High is a practical starting point. It includes many of the core capabilities needed for CMMC Level 2 without the cost of higher-tier enterprise licenses.

One of the most common mistakes at this stage is over-licensing. Not every user needs the highest tier. Align licenses to roles and data exposure rather than defaulting to a single level across the organization.

Phase 3: Tenant provisioning (Up to 30 days)

Once your licenses are processed, your partner submits a provisioning request to Microsoft.

From that point forward, the process is handled manually within Microsoft’s government cloud environment. There is no instant provisioning like you would see in commercial Microsoft 365.

You’ll receive a default .onmicrosoft.us tenant and global administrator credentials, but you won’t be able to begin full configuration until provisioning is complete.

Understanding the .us environment

GCC High operates entirely on .us endpoints rather than .com.

This affects admin portals, identity services, API endpoints, and integrations. Tools and scripts built for commercial Microsoft 365 environments will not work without modification.

Adding your custom domain (Microsoft Graph)

Custom domains in GCC High should be added using Microsoft Graph PowerShell.

# Connect to Microsoft Graph (GCC High)
Connect-MgGraph -Environment USGov

# Add your custom domain
New-MgDomain -Id "yourcompany.com"

# Retrieve DNS verification records
Get-MgDomainVerificationDnsRecord -DomainId "yourcompany.com"

# After adding DNS record:
Confirm-MgDomain -DomainId "yourcompany.com"

After adding the required DNS record, verification typically completes within a few hours depending on propagation.

Phase 4: Configure your tenant for CMMC

A newly provisioned GCC High tenant is essentially empty. It has no security policies, no device controls, and no data governance configured.

Microsoft provides the infrastructure baseline, but your configuration determines whether you meet CMMC requirements.

Step 1: Secure admin access

Start by securing your administrator accounts.

Create primary admin accounts tied to your custom domain, and set up at least two break-glass accounts that are excluded from Conditional Access. These should be stored securely offline and only used for emergency access.

If your licensing supports it, enable Privileged Identity Management to reduce standing privileges.

Step 2: Configure Entra ID and Conditional Access

As you build out Conditional Access, focus on establishing a consistent baseline across all users.

• Require MFA for all users
• Block legacy authentication
• Require compliant or managed devices
• Restrict access based on location

Misconfiguration here is one of the most common causes of gaps. Policies may exist but not be fully enforced, or exceptions may be broader than intended. Review assignments carefully before enabling policies.

Step 3: Configure Intune

Intune becomes your central platform for managing devices.

Define what qualifies as a compliant device, including encryption, endpoint protection, and OS requirements. Then link compliance to Conditional Access so only approved devices can access resources.

If you’re migrating from commercial Microsoft 365, plan for device re-enrollment. This step often requires direct user interaction and can take longer than expected.

Step 4: Configure Purview

Purview controls how sensitive data is classified and protected.

Set up sensitivity labels aligned to your CUI categories, and configure Data Loss Prevention policies to control how that data is shared. Enable audit logging immediately, since it is not retroactive.

One common gap here is incomplete policy coverage. Labels or DLP rules may be configured but not applied consistently across workloads like Exchange, SharePoint, and Teams.

Step 5: Configure Exchange Online

Exchange Online requires targeted hardening.

Disable SMTP authentication where possible, block automatic forwarding to external addresses, and configure DMARC, DKIM, and SPF for your domain.

A common issue here is leaving legacy protocols enabled for compatibility. These often bypass modern authentication controls and introduce risk if not explicitly disabled.

Step 6: Configure SharePoint and OneDrive

Restrict external sharing, enable versioning, and apply sensitivity labels to CUI storage locations.

Monitoring matters here. Configure audit logging and alerts to detect unusual activity like bulk downloads or unexpected sharing events.

Step 7: Configure Microsoft Teams

Restrict external access, disable consumer federation, and ensure meeting data remains within your tenant.

If needed, apply information barriers to prevent data sharing between internal groups.

Common mistakes that cause delays and rework

Most issues during GCC High setup don’t come from complexity. They come from assumptions.

One of the most common is assuming that GCC High automatically makes you compliant. It provides a strong foundation, but your configuration determines whether you actually meet CMMC requirements.

Licensing is another frequent challenge. Over-licensing increases cost, while under-licensing can limit your ability to implement required controls.

Break-glass accounts are often overlooked or misconfigured, which can lead to lockouts. In GCC High, recovery can take longer than expected.

Default settings are another source of risk. External sharing and legacy authentication are often left enabled longer than they should be.

Finally, many teams underestimate how different the .us environment is. Scripts and integrations designed for commercial Microsoft 365 often fail without modification.

GCC High gets you infrastructure, not CMMC readiness

By the end of this process, you’ll have a provisioned and configured GCC High tenant.

What you won’t have yet is a fully assessment-ready environment.

GCC High gives you the infrastructure baseline. It does not give you a mapped control set, documented implementation, or an evidence package.

That’s the next phase of work.

Secureframe Defense builds on top of your GCC High environment by mapping your configuration to CMMC requirements, identifying gaps, and helping you maintain the documentation and evidence your assessor will expect.

If you want to see how that works in practice, you can schedule a demo to walk through how Secureframe connects to GCC High and tracks your progress toward CMMC readiness.